A tampered copy of FileZilla quietly contacts attacker-controlled servers using encrypted DNS traffic that can slip past traditional monitoring.
www.malwarebytes.com
A trojanized copy of the open-source FTP client FileZilla 3.69.5 is circulating online. The archive contains the legitimate FileZilla application, but with a single malicious DLL added to the folder. When someone downloads this tampered version, extracts it, and launches FileZilla, Windows loads the malicious library first. From that moment on, the
malware runs inside what appears to be a normal FileZilla session.
Because the infected copy looks and behaves like the real software, victims may not realize anything is wrong. Meanwhile, the malware can access saved FTP credentials, contact its command-and-control server, and potentially remain active on the system. The risk does not stop with the local computer. Stolen credentials could expose the web servers or hosting accounts the user connects to.
This attack does not
exploit a vulnerability in FileZilla itself. It depends on someone downloading the modified copy from an unofficial website and running it. The spread mechanism is simple deception, such as lookalike domains or search poisoning, rather than automatic self-propagation.
